The proposed extension of the scope of NIS2, which would effectively oblige more entities and sectors to take measures, should help to increase the level of cybersecurity in Europe in the long term. The main objective of cybersecurity regulation is to ensure that organizations that are important for the functioning and economy of the state take preventive measures to strengthen their cybersecurity and, thereby, the cybersecurity of society as a whole.
This is a key step in preventing, detecting, and mitigating the impact of potential cyber security incidents. This requirement, represented by the obligation to implement so-called security measures, is the central purpose of the Cyber Security Act, and the same applies to the NIS2 Directive. The original NIS Directive only stipulated in general terms that obligated entities must ensure appropriate and proportionate technical and organizational measures to address risks and prevent incidents. The draft NIS2 Directive goes into more detail.
Compared to the current NIS Directive, the NIS2 Directive will expand the entities that will be subject to its mandatory regulation. These entities can be classified into two regimes – "essential" and "important." Entities falling under the essential regime are to be the most important entities protected under the regulation. The main difference between the essential and important regimes lies in the protection requirements, which should be stricter for essential entities.
Organizations covered by the NIS2 Directive will be required to implement security measures. This obligation applies to organizations regardless of whether they are classified as essential or important.
Large organization Essential Important
Medium organization Important Important
Source of table: https://osveta.nukib.cz/mod/page/view.php?id=2617
The NIS2 Directive emphasizes the responsibility of the management of individual organizations for approving and implementing security measures to reduce cybersecurity risks. These requirements also include that the management of organizations is obliged to personally attend training on cyber security and to encourage their employees to do the same.
Each Member State will then have the option of developing its own and/or additional security measures in its legislation.
